cve-2019-15619
Vulnerability from cvelistv5
Published
2020-02-04 19:08
Modified
2024-08-05 00:56
Severity ?
Summary
Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project.
References
support@hackerone.comhttps://hackerone.com/reports/662204Permissions Required
support@hackerone.comhttps://nextcloud.com/security/advisory/?id=NC-SA-2020-008Vendor Advisory
support@hackerone.comhttps://nextcloud.com/security/advisory/?id=NC-SA-2020-009Vendor Advisory
support@hackerone.comhttps://nextcloud.com/security/advisory/?id=NC-SA-2020-010Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://hackerone.com/reports/662204Permissions Required
af854a3a-2127-422b-91ae-364da2661108https://nextcloud.com/security/advisory/?id=NC-SA-2020-008Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://nextcloud.com/security/advisory/?id=NC-SA-2020-009Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://nextcloud.com/security/advisory/?id=NC-SA-2020-010Vendor Advisory
Impacted products
Vendor Product Version
n/a Nextcloud Server Version: 16.0.4
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T00:56:22.104Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/662204"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-008"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-009"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-010"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Nextcloud Server",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "16.0.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Cross-site Scripting (XSS) - Stored (CWE-79)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-02-04T19:08:57",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/662204"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-008"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-009"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-010"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "ID": "CVE-2019-15619",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Nextcloud Server",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "16.0.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Cross-site Scripting (XSS) - Stored (CWE-79)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://hackerone.com/reports/662204",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/662204"
            },
            {
              "name": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-008",
              "refsource": "MISC",
              "url": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-008"
            },
            {
              "name": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-009",
              "refsource": "MISC",
              "url": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-009"
            },
            {
              "name": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-010",
              "refsource": "MISC",
              "url": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-010"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2019-15619",
    "datePublished": "2020-02-04T19:08:57",
    "dateReserved": "2019-08-26T00:00:00",
    "dateUpdated": "2024-08-05T00:56:22.104Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nextcloud:deck:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"0.6.6\", \"matchCriteriaId\": \"BF74F6C8-E3B7-4AC5-820E-02B75C748DC5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"16.0.4\", \"matchCriteriaId\": \"4F7379C3-F476-42A7-BD34-63BEBB2745FB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nextcloud:talk:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"6.0.4\", \"matchCriteriaId\": \"31253046-1C67-45F5-AE9D-BF23F6846253\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project.\"}, {\"lang\": \"es\", \"value\": \"Una neutralizaci\\u00f3n inapropiada de los nombres de archivo, nombres de conversaci\\u00f3n y nombres de tarjeta en Nextcloud Server versi\\u00f3n 16.0.3, Nextcloud Talk versi\\u00f3n 6.0.3 y Nextcloud Deck versi\\u00f3n 0.6.5, causa una vulnerabilidad de tipo XSS cuando se vinculan entre s\\u00ed en un proyecto.\"}]",
      "id": "CVE-2019-15619",
      "lastModified": "2024-11-21T04:29:08.627",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 4.8, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.7, \"impactScore\": 2.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:S/C:N/I:P/A:N\", \"baseScore\": 3.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 6.8, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2020-02-04T20:15:12.340",
      "references": "[{\"url\": \"https://hackerone.com/reports/662204\", \"source\": \"support@hackerone.com\", \"tags\": [\"Permissions Required\"]}, {\"url\": \"https://nextcloud.com/security/advisory/?id=NC-SA-2020-008\", \"source\": \"support@hackerone.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://nextcloud.com/security/advisory/?id=NC-SA-2020-009\", \"source\": \"support@hackerone.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://nextcloud.com/security/advisory/?id=NC-SA-2020-010\", \"source\": \"support@hackerone.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://hackerone.com/reports/662204\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Permissions Required\"]}, {\"url\": \"https://nextcloud.com/security/advisory/?id=NC-SA-2020-008\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://nextcloud.com/security/advisory/?id=NC-SA-2020-009\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://nextcloud.com/security/advisory/?id=NC-SA-2020-010\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "support@hackerone.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"support@hackerone.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-15619\",\"sourceIdentifier\":\"support@hackerone.com\",\"published\":\"2020-02-04T20:15:12.340\",\"lastModified\":\"2024-11-21T04:29:08.627\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project.\"},{\"lang\":\"es\",\"value\":\"Una neutralizaci\u00f3n inapropiada de los nombres de archivo, nombres de conversaci\u00f3n y nombres de tarjeta en Nextcloud Server versi\u00f3n 16.0.3, Nextcloud Talk versi\u00f3n 6.0.3 y Nextcloud Deck versi\u00f3n 0.6.5, causa una vulnerabilidad de tipo XSS cuando se vinculan entre s\u00ed en un proyecto.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.7,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:N/I:P/A:N\",\"baseScore\":3.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.8,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"support@hackerone.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nextcloud:deck:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.6.6\",\"matchCriteriaId\":\"BF74F6C8-E3B7-4AC5-820E-02B75C748DC5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"16.0.4\",\"matchCriteriaId\":\"4F7379C3-F476-42A7-BD34-63BEBB2745FB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nextcloud:talk:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"6.0.4\",\"matchCriteriaId\":\"31253046-1C67-45F5-AE9D-BF23F6846253\"}]}]}],\"references\":[{\"url\":\"https://hackerone.com/reports/662204\",\"source\":\"support@hackerone.com\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://nextcloud.com/security/advisory/?id=NC-SA-2020-008\",\"source\":\"support@hackerone.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://nextcloud.com/security/advisory/?id=NC-SA-2020-009\",\"source\":\"support@hackerone.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://nextcloud.com/security/advisory/?id=NC-SA-2020-010\",\"source\":\"support@hackerone.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://hackerone.com/reports/662204\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://nextcloud.com/security/advisory/?id=NC-SA-2020-008\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://nextcloud.com/security/advisory/?id=NC-SA-2020-009\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://nextcloud.com/security/advisory/?id=NC-SA-2020-010\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.